Bitcoin Forum
December 08, 2016, 06:06:17 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2]  All
  Print  
Author Topic: Mt. Gox Hack claims  (Read 8471 times)
finack
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 19, 2011, 07:45:20 PM
 #21

Regardless, if there's any evidence at all that the DB is taken, assume the passwords are broken. Now where's the credible evidence the DB was taken?

Quote from: MtGox
UPDATE REGARDING LEAKED ACCOUNT INFORMATIONS

We will address this issue too and prevent logins from each users. Leaked information includes username, email and hashed password, which does not allow anyone to get to the actual password, should it be complex enough. If you used a simple password you will not be able to login on Mt.Gox until you change your password to something more secure. If you used the same password on different places, it is recommended to change it as soon as possible.

oops
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481220377
Hero Member
*
Offline Offline

Posts: 1481220377

View Profile Personal Message (Offline)

Ignore
1481220377
Reply with quote  #2

1481220377
Report to moderator
1481220377
Hero Member
*
Offline Offline

Posts: 1481220377

View Profile Personal Message (Offline)

Ignore
1481220377
Reply with quote  #2

1481220377
Report to moderator
jhansen858
Sr. Member
****
Offline Offline

Activity: 336


View Profile
June 19, 2011, 07:51:38 PM
 #22

its a trick.. Those are the real passwords just happen to be the same length as a hashed password



Hi forum: 1DDpiEt36VTJsiJunyBc3XtG6CcSAnsQ4p
zerokwel
Sr. Member
****
Offline Offline

Activity: 466



View Profile
June 19, 2011, 08:09:06 PM
 #23

yep the DB was leaked and has been confirmed it has 61020 entrys  with your username email address and a hashed password atlest the passwords where not plain text
hoo2jalu
Member
**
Offline Offline

Activity: 70



View Profile
June 19, 2011, 11:13:10 PM
 #24

...
Unlikely unless you're sloppy.

To prove the point, 10 bitcoin for each pass for any of these unsalted MD5s:

824cfad07c88261afb4dd3285627887a
73550477b12849b2a4dcd3b0db187415
3e567bcbb2aa5c28c47012b857bf6e48
3709fb6b0e1c0b26ff22a19ae92fd080
9133c451dd761d29943dcc653252e2fa
ff111d6144367b4abd99aa4321b0a618
8602188ef5a05a13afc59c51b395426c
da842aa7c84236d17a04098fa1273f2d
...

Well they aren't in any rainbow tables, so they must be pretty long. Judging by the high reward on this, he probably used 15-20 characters. Enough that you might as well keep your computers mining bitcoins, it could be months even for a very powerful group of computers.

16 character alphanumeric. MD5 can be weak as snot, unsalted, and exposed via SQLi and I don't care.

Don't be sloppy with password management!

All of you re-using passwords between sites, re-using usernames and passwords between pools or miner accounts, re-using same email addresses across forums and exchange accounts, ALL OF YOU ARE ASKING TO GET PWNED!

What will it take for this message to sink in? cracking the MtGox hashes shows the majority of you are still being lazy...
elggawf
Sr. Member
****
Offline Offline

Activity: 308



View Profile
June 19, 2011, 11:17:14 PM
 #25

oops

Yeah, that'd do it. That information either wasn't posted, or hadn't caught my attention when I posted before - note there's 2 hours between my post and yours. Wink

^_^
MikesMechanix
Member
**
Offline Offline

Activity: 70



View Profile
June 19, 2011, 11:33:37 PM
 #26

Well they aren't in any rainbow tables, so they must be pretty long. Judging by the high reward on this, he probably used 15-20 characters. Enough that you might as well keep your computers mining bitcoins, it could be months even for a very powerful group of computers.

Already at 10 characters alphanumeric, the possible number of combos is 839299365868340224. @5 Ghash/s, it would take over 5 years to go through them all, and each additional character multiplies the time by 62.

Please send your extra Bitcoins to 17miTorGDBUh3yNTYJtodJPw9wzrcNcf6y. Thank you!

Sign up on TradeHill Instant Bitcoin Exchange using this link to get a lifetime 10 % discount on trades!
ISA
Jr. Member
*
Offline Offline

Activity: 48


View Profile
June 19, 2011, 11:39:47 PM
 #27

This is not me, just came across it on hacker news and thought we should know here.


"
I have hacked into mtgox database. Got a huge number of logins password combos.
Mtgox has fixed the problem now. Too late, cause I've already got the data.
 
Will sell the database for the right price.
Send your offers to:
xxxxxxx@hotmail.com
"

http://news.ycombinator.com/item?id=2670302
http://pastebin.com/ui0nusuZ

Can I pay in Bitcoins? Smiley

Grouver (BtcBalance)
Hero Member
*****
Offline Offline

Activity: 530



View Profile WWW
June 19, 2011, 11:45:02 PM
 #28

Solution to crappy password management

-Create a truecrypt masterkey file: with one sick ass long 50 char pass wich you will save in your mind.  (http://www.truecrypt.org)

-Create a bunch of txt files within in the mounted truecrypt dir with 0 untill 9 digits as filenames.
So:

0.txt
1.txt
2.txt
etc...

-Put in each txt file a generated pass wich is 10 chars minimum.

-Pick a number you like with 3 digits or more.

-Paste each password in the #.txt file behind each other based on the 3 digit code you will remember.


-Go to lastpass.com (www.lastpass.com)

-Download tool.

-Create account

-Use masterkey as master password

-For each website you register in the future... use a 20 digit pass you can generate with lastpass.

-Make a list of all websites you think are important to change the pass.

-Take an hour and change each pass and let lastpass generate one for you.

-Put masterkey file on each hardrive/usb stick you got.

-Done

Pages: « 1 [2]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!